#1064 Update PIE section
Merged 8 months ago by tibbs. Opened a year ago by oturpe.
oturpe/packaging-committee simplify-pie  into  master

@@ -1121,15 +1121,15 @@ 

  

  PIE adds security to executables by composing them entirely of position-independent code. Position-independent code (PIC) is machine instruction code that executes properly regardless of where in memory it resides. PIE allows Exec Shield to use address space layout randomization to prevent attackers from knowing where existing executable code is during a security attack using exploits that rely on knowing the offset of the executable code in the binary, such as return-to-libc attacks.

  

- To use this in your spec, add:

+ In Fedora, PIE is enabled by default. To disable it in your

+ spec, add:

  

  ....

- %global _hardened_build 1

+ %undefine _hardened_build

  ....

  

- This adds `+-fPIC+` (if `+-fPIE+` is not already present) to the compiler flags, and adds `+-z now+` to the linker flags.

- 

- If your package meets any of the following criteria you MUST enable the PIE compiler flags:

+ If your package meets any of the following criteria you

+ MUST NOT disable the PIE compiler flags:

  

  * Your package is long running. This means it's likely to be started and keep running until the machine is rebooted, not start on demand and quit on idle.

  
@@ -1137,18 +1137,6 @@ 

  

  * Your package runs as root.

  

- If your package meets the following criteria you should consider enabling the PIE compiler flags:

- 

- * Your package accepts/processes untrusted input.

- 

- FESCo maintains a https://fedoraproject.org/wiki/Hardened_Packages[list of packages] that MUST have PIE turned on. Other packages may enable the flags at the maintainer's discretion.

- 

- There are some notable disadvantages to enabling PIE that should be considered in making the decision:

- 

- * Some code does not compile with PIE (or does not function properly).

- 

- * You can not use prelink on PIE enabled binaries, resulting in a slower startup time.

- 

  == Debuginfo packages

  

  Packages should produce useful `+-debuginfo+` packages, or explicitly disable them when it is not possible to generate a useful one but rpmbuild would do it anyway. Whenever a `+-debuginfo+` package is explicitly disabled, an explanation why it was done is required in the specfile. Debuginfo packages are discussed in more detail in a separate document, xref:Debuginfo.adoc[Packaging:Debuginfo].

Guidelines for Position Independent Executables gave the impression that PIE is opt-in. This has not been true since Harden All Packages change happened in Fedora 23.

To match the fact that PIE is the default, the guidelies are updated to discuss the opt-out instead of opt-in.

Note: The Harden All Packages change page also says this:

Adjust the Packaging Guidelines to allow non-PIC packages only if the package is not working otherwise and require a tracker bug similar to packages not working on certain archs. Update the Guidelines to reflect the new defaults.

I did not take that into account at all. Should those changes actually be in the guidelines?

rebased onto e9d8f588cfe418d8c931014e0ae712c00dff2827

10 months ago

Metadata Update from @tibbs:
- Pull-request tagged with: meeting

10 months ago

rebased onto a0ece6c

8 months ago

Pull-Request has been merged by tibbs

8 months ago